Privacy, Cybersecurity, and Other Protections for Investors

In today’s digital-first world, cybersecurity has emerged as a critical concern across all industries, but it is especially significant in the financial services sector. This is a domain where sensitive personal and financial data is routinely handled, making it a prime target for cybercriminals. For elderly individuals, the risks and impacts of cybersecurity breaches are heightened due to a combination of factors such as unfamiliarity with digital platforms, evolving scams, and the unique value they present to bad actors.

Protecting the Elderly and Vulnerable Clients: A High-Value Target
Senior and other vulnerable investors are often seen as lucrative targets by cybercriminals due to their accumulated savings, homeownership, and benefits such as pensions. Additionally, this demographic is less likely to report cybercrimes, whether due to shame, lack of awareness, or uncertainty about what to do about it and who to report it to.

As more of the population reaches retirement age, the appeal of an asset-rich, vulnerable demographic grows for cybercriminals. Government and regulatory agencies are aware of this growing and present danger, and of the important role Investment Advisers (IAs) play in protecting their senior investors.

The U.S. Securities and Exchange Commission (“SEC”) and states have introduced and amended several regulations to protect senior investors, including:

• Regulation S-P (Privacy of Consumer Financial Information): Regulation S-P addresses the protection of nonpublic information and requires financial institutions to safeguard the personal and financial data of associated persons. The rule mandates that clients be informed of their rights to data privacy, how their information is used, and if, and with whom, it is shared outside the collecting agency. This rule was recently amended to account for greater protections given the technological advancements in recent years.
• Regulation BI (Best Interest Standard): Regulation BI sets the standard for advisers and broker-dealers to act in the best interest of their clients, including measures to protect clients (and senior investors) from fraud and cybersecurity threats. Regulation BI addresses conflicts of interest, recommendations of appropriate and secure products and services, and more.
• Regulation S-ID (Identity Theft Red Flags): Regulation S-ID mandates that certain financial institutions and creditors implement an Identity Theft Prevention Program that includes adequate tools and protocols to identify red flags and concrete measures for the protection, detection, and response to potential identity theft threats.
• Senior Safe Act: State and other guidelines and regulations, such as the Senior Safe Act, add an additional layer of protection. Should the financial institution elect to adopt the Senior Safe Act, senior clients have an additional layer of protection by encouraging the reporting of suspected financial exploitation to authorities while protecting the financial institution from legal liability. Moreover, several states mandate escalation to law enforcement should the financial institution suspect financial exploitation.

SEC Investor Alerts Provide Key Guidance for Investors
In January of 2024, the SEC, NASAA, and FINRA issued an Investor Alert on Artificial Intelligence (“AI”) and Investment Fraud. The alert addresses growing concern for targeted scams that use AI to exploit vulnerable investors. Cybercriminals are using the popularity of AI to lure investors into scams through unregistered platforms, fake AI trading systems, and high-risk schemes like pump-and-dump.

These investment scams involving AI increasingly target vulnerable investors, particularly those unfamiliar with emerging technologies. Cybercriminals exploit the complexity of AI, promising “guaranteed” returns and offering unregistered investment platforms. These scams often use high-pressure tactics, celebrity endorsements, and AI-generated content, such as deepfakes, to appear legitimate. Older investors, or those less tech-savvy, are especially at risk as scammers use AI to impersonate family members or create fake videos. These fraudulent schemes prey on emotional responses, leading victims to make impulsive, ill-informed decisions. To protect themselves, investors must verify the legitimacy of platforms and professionals before engaging in any investment. To protect themselves, investors should consider the guidance provided by this and other Investor Alerts found at https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins such as taking steps to verify the legitimacy of platforms and professionals before engaging in any investment.

Understanding Key Cybersecurity Threats
In addition to more sophisticated cyber threats that make use of emerging technology, there are several common scams that we face in the financial services industry:

1. Phishing Scams: Fake emails, messages, or phone calls that mimic legitimate financial institutions to steal sensitive information like passwords or Social Security numbers. Oftentimes, the elderly will provide that information without verifying the legitimacy of the organization contacting them.
2. Ransomware Attacks: Malware that locks a user out of their device until a ransom is paid, often targeting those who might not recognize warning signs.
3. Investment Fraud: Fraudsters posing as financial advisors or representatives to manipulate seniors into transferring funds or investing in fictitious schemes.
4. Account Takeover Fraud: Using stolen credentials to gain unauthorized access to bank or retirement accounts.

The Role of Investment Advisers, Broker-Dealers, and Other Financial Institutions
Financial services providers play a pivotal role in safeguarding elderly clients against cyber threats. Measures such as advanced encryption, multi-factor authentication (MFA), and fraud monitoring systems are vital. However, technology alone is not enough; education and proactive engagement are equally crucial.

Financial service providers, including institutions, IAs, and BDs who serve senior investors, especially those managing portfolios with retirement savings, are expected to adhere to an enhanced “Duty of Care” when it comes to elderly clients.

It is important for both advisers and investors to adopt safety measures and bolster their cybersecurity efforts against sophisticated cyber criminals.

Financial service providers, including Investment Advisers and Broker-Dealers, can:

• Educate Clients: Offer cybersecurity workshops and resources tailored to the elderly, focusing on recognizing scams, setting strong passwords, and using secure networks.
• Implement Fraud Alerts: Provide real-time notifications for suspicious transactions.
• Simplify User Interfaces: Make online banking platforms more user-friendly for seniors, reducing the likelihood of errors that expose them to risk.
• Empower Caregivers: Enable trusted family members or legal representatives to monitor accounts for unusual activity.

Furthermore, regulatory and compliance experts often recommend other rules and practices for IAs and BDs to serve their elderly clients better:

• Establish a Trusted Contact: Service providers with senior clients should establish a Trusted Contact for their senior investors. This is usually someone related to them who can help the senior client steer clear of cybercriminals.
• Establish Communication Protocols: This outlines which communication methods will be used between the service provider and client, how the client can verify authenticity, and steps to take when in doubt.
• Provide the Client with a Resource List: Include contact information for the firm’s fraud hotline, and regulatory agencies such as the SEC and FINRA.

Empowering Your Clients
While financial institutions bear some responsibility, empowering seniors to take charge of their own cybersecurity is essential. Simple steps like installing antivirus software, using secure Wi-Fi connections, and avoiding sharing personal information over the phone or in an email can make a significant difference.

Community organizations and advocacy groups can also play a role by spreading awareness and providing support to victims of cybercrime.

A Call to Action
As the elderly population continues to grow, the intersection of cybersecurity and financial services will demand increasing attention. Collaboration between financial institutions, policymakers, and community organizations is essential to creating a safer digital environment for seniors.

By investing in technology, education, and compassionate support, the financial services industry can not only protect elderly clients but also foster trust and inclusivity in the digital age.

Author: Kathryn Konzen, Esq. is the Director of Operations and Counsel, at Jacko Law Group, PC (“JLG). With over 15 years of experience in the legal profession, she brings a diverse range of expertise in areas such as operations, eDiscovery consulting, business development, recruiting, and more. Her practice focuses on working closely with clients, assisting them with their Cybersecurity and AI legal needs. 

JLG works extensively with investment advisers, broker-dealers, investment companies, private equity and hedge funds, banks and corporate clients on securities and corporate counsel matters. For more information, please visit https://www.jackolg.com/.

The information contained in this article may contain information that is confidential and/or protected by the attorney-client privilege and attorney work product doctrine. This email is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended to and does not constitute a waiver of attorney-client privilege or attorney work product protections.

The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. (“JLG”) and should in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.

You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.

[1] Service of process refers to the delivery of the legal documents that gives a defendant notice of the legal action filed against it and the opportunity to respond. Valid service of process on a defendant is required by the U.S. Constitution. Service of process must be accomplished by the plaintiff pursuant to the rules or statutes of the appropriate jurisdiction. These rules include how process documents can be delivered (such as in-hand delivery or certified or registered mail) and to whom that delivery can be made.